Solved

Active Directory Remote Users Prevent Cache Logon

Posted on 2014-03-20
4
494 Views
Last Modified: 2014-03-26
Hello all,
I have been asked to find a solution for securing corporate PC information from access of remote personnel upon their termination, we are using VPN.
Basically, if the business terminates an employee they want to ensure the user will not be able to log in to the Laptop they were issued, and no longer onto the domain. The domain side is the easy part but how would I immediately be able to reach out and secure the machines for these remote users, so they can no longer log in with the cached credentials?
I was told of a way via SCCM that may facilitate but can find nothing related.
Please, any direction and help is appreciated because I do not want to be the next to be released here.

Kry
0
Comment
Question by:kryanC
  • 2
4 Comments
 
LVL 16

Assisted Solution

by:R. Andrew Koffron
R. Andrew Koffron earned 334 total points
ID: 39943104
just need to set a group policy, and join the machines to the Domain prior to deployment,

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

 Network Access:
Do not allow storage of credentials or .NET Passports for network authentication

if you can recall machines pretty easy plug em in and force a gpupdate.  if they remain external I don't know how to fire it retroactively to external VPN clients I'm not sure, I'd think you'd have to create a local GPO update and a script to download it each machine and fire it locally. I've never had any consistent success getting things to work over VPN.

but going forward just make sure your initial deployment stops cacheing
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
ID: 39943510
The above setting will stop cached login for working employees as well in home

Once you disabled user account for terminated user, make sure that you have disabled its mailbox, emails and any other logins (VPN, internet data card etc) it might have immediately

Now even if user is able to login offline with cached credentials, it can't do any thing practically
0
 
LVL 16

Accepted Solution

by:
R. Andrew Koffron earned 334 total points
ID: 39943612
keep in mind that policy changes need to be made updated by the log in process, so remote machines have already authenticated. when they get to the VPN stage, and If you remove caching, you'll need to set them to use a VPN/Dial-up in order to boot up/login, Prior to logging into the remote machine, and that will ONLY work when their internet connection is on and VPN is up and running, and may render machines completely useless unless each machine has a local profile, and a local profile wouldn't apply a domain Policy.

sort of a catch 22 I don't know a good way around it either.
0
 

Author Closing Comment

by:kryanC
ID: 39956960
Thanks to all. Catch 22 is the best way of illustrating how to force it and kill there ability to work offline at the same time if I want to protect the data.
If anyone has a third party solution or any other ideas I would be interested because the "business" says that they are sure there is such a solution but can't remember what it is.
Thanks again,

Kry
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question